THE BOARD S ROLE AND RESPONSIBILITIES OVER THE CONTROL ENVIRONMENT Session 4
Road Map of Presentation Review of the key responsibilities of the Board - the direct links to the IC System & IA function Analyze the internal control system s definition, objectives and elements Distinguish IC System from the IA Function Analyze the internal audit function s definition, organization and structure Overview of External Audit and Compliance Audit Committee role, responsibilities and detailed duties 2
Key Functions of the Board Reviewing and guiding corporate strategy and risk policy Monitoring effectiveness of the company s governance Monitoring and managing potential conflicts of interest Ensuring the integrity of the firm s accounting and financial reporting systems, including the independent audit and that appropriate controls are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards. Overseeing disclosure and communications OECD Corporate Governance Principles Section VI 3
Division of Responsibilities Board of Directors Oversee the development and implementation of an adequate internal control systems Management Establish and maintain an adequate and effective system of internal controls Monitor the independent assurance function Develop a system to monitor and control risks 4
Internal Control Definition A process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. Operating objectives Reporting objectives Compliance objectives COSO Integrated Framework, May 2013 5
BASEL FRAMEWORK FOR INTERNAL CONTROL SYSTEMS IN BANKING ORGANIZATIONS (1998) 1. Management oversight and the control culture. 2. Control activities and segregation of duties. 3. Risk recognition and assessment. 4. Information and communication. 5. Monitoring activities and correcting deficiencies. COSO INTERNAL CONTROL - INTEGRATED FRAMEWORK (2013) 1. Control Environment - The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Activities Mandatory Elements 6
IT Controls and Emerging Trend of the Board Technology Committee COBIT 5: Framework for IT Internal Controls COBIT 5 (Control Objectives for Information and Related Technology), as published by ISACA in 2012, provides comprehensive framework to assist enterprises in the governance and management of IT. Board Level Technology Committee Board of Directors Other Committees Recognizes the expanded role of IT as an integral part of the business. Used as the basis for the framework for managing operational and information risk in the context of Basel. Technology Committee CEO Audit Committee External Auditor CIO COO CFO Internal Audit 7
Key Questions to Ask about Internal Controls What is the role of the audit committee and the board in ensuring that proper internal controls are maintained, risks are managed and that the company is in compliance with all relevant laws and regulations? Describe how the company s internal controls (operational, financial and compliance, including IT systems) are designed and maintained? Are internal controls risk based? Were there any significant problems in internal controls in the past 5 years? Please describe. Does the board monitor that management responds to the deficiencies identified in Management Letters? Are internal controls designed in accordance with a relevant framework, e.g., COSO, COBIT, Basel? 8
Internal Control System Internal Audit Function Internal Control systems are the means by which: Operations are conducted in accord with prescribed policies and procedures. The enterprise is in compliance with applicable laws and regulations. The enterprises assets and information are protected from improper use. Internal audit provides the board and management with reasonable assurance that these systems are adequate and functioning well. 9 Independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
10 Source: Thomson Reuters ACCELUS, The State of Internal Audit 2014, (2014)
Internal Audit Objective and Tasks OBJECTIVE: To provide the board and management with reasonable assurance that the organization has a sound system of internal control to protect against loss Evaluate the system of internal controls, risk management and CG Assess risks / component of risk management Test operations of systems (including IT) Communication, recommendations for improvement and follow up 11
Internal Audit s Assessment of Risk Management Function Polling Question: In your opinion, how mature is your organization s risk management function? 0% 0% 0% 0% 0% A. We do not have a formal program or resources B. In the development stage C. Immature D. Implemented, but requires additional work and resources E. Robust and embedded framework and resources in place 0 of 100
Internal Audit Assessment of Risk Management Function Source: Thomson Reuters ACCELUS, The State of Internal Audit 2013, (2013) 13
Key Features The Internal Audit Function Continuity Independence Impartiality Professional competence Scope of activity Internal audit charter Basel, The Internal Audit Function in Banks (2012) 14
CG Structure: Internal Audit Roles and Functions Board of Directors Management Internal Audit Function Oversee the development and implementation of an adequate internal control systems Monitor the independent assurance function Establish and maintain an adequate and effective system of internal controls Develop a system to monitor and control risks Assist management in the efficient and effective discharge of their responsibilities Advise and make recommendations on internal control, risk management and corporate governance 15
Internal Audit helps to monitor the Internal Controls Board, in particular, the Audit Committee oversees Managers have primary task to design and maintain controls Monitoring the Internal Control Process Internal audit function evaluates External auditors assess and opines on 16
Outsourcing: Where Internal Audit Gets the Talent they Need Polling Question: Do your outsource your internal audit? 0% A. Entirely 0% 0% 0% B. Partially C. Not at all D. I don t know 0 of 100
Outsourcing: Where Internal Audit Gets the Talent they Need Source: PwC, State of the Internal Audit Profession Study, (Mar. 2013) 18
Corporate Governance Relationships C O N T R O L CRO Risk Committee CIO/Other Board of Directors CEO / Management Board COO CFO Audit Committee Other Committees External Auditor Internal Audit Function E n v i r o n m e n t Compliance Function
Internal Audit Reporting Polling Question: How frequently does your internal audit committee interact with the board of directors? 0% 0% 0% 0% A. Monthly B. Quarterly C. Annually D. I don t know 0 of 100
Internal Audit Reporting 21 Source: Thomson Reuters ACCELUS, The State of Internal Audit 2013, (2013)
Future of Internal Audit Function: Trusted Advisor 22 Source: PwC, State of the Internal Audit Profession Study, (Mar. 2014)
Key Questions to Ask about Internal Audit To whom does the Chief Internal Auditor report? How is the IA chief hired/fired and does the CIA privately meet with the board or the audit committee? What is the relationship between IA, the Chair, CEO, CFO, CRO, CIO and external auditor? Are the IA work plans reviewed by the audit committee or the board? Does the board monitor management s response to deficiencies and weaknesses identified by the IA function? Are internal audits risk based? Were there any significant problems with internal audit in the past five years? Please describe. Is corrective action taken, followed-up on? What are the audit standards applied by IA, e.g., IIA Standards? Does the external auditor rely on the work of internal audit in conduct of the annual financial statement audit? How are conflicts of interest with internal auditors handled? 23
External Audit Audit committee/board in charge of selecting an auditor Auditor independence (attention to non-audit services) Regular contact with the auditor (through audit committee/board) Evaluation by the audit committee/board of the auditor s quality Invite representatives of the auditor to the shareholders meetings Follow up on management letters issued by the auditor Disclosure of the audit report (annual report, web-site) Auditor/lead partner rotation 24
Changes in Audit Reporting IAASB Exposure Draft July 2013 Exposure Draft Reporting on Audited Financial Statements: Proposed New and Revised International Standards on Auditing (ISAs) 1. Opinion/Basis for Opinion 2. Key Audit Matters 3. Going Concern 4. Responsibilities of Those Charged with Governance 5. Auditor s Responsibilities 6. Report on Legal and Regulatory Requirements
Key Questions to Ask about External Audit Who, formally and in practice, selects the external auditors and to whom are they accountable? What is the relationship between EA, the Chair, CEO, CFO, CRO, and CIA? Is there the policy to rotate the external auditors or the lead audit partners? Has the Audit Opinion ever been a Qualified, Disclaimer or Adverse Opinion? Why? Does the board monitor management s response to accounting and reporting control deficiencies and weaknesses identified by Management Letters and IA? Is there the policy to rotate the external auditors or the lead audit partners? What are the accounting standards used to report results (IFRS, GAAP)? What are the audit standards used by the external auditor (ISA, GAAS)? Any disparities with local standards and international standards? Does the external auditor rely on the work of internal audit in conduct of the annual financial statement audit? Does the external auditor provide any other services besides the external audit? 26
Compliance and Whistleblowing: How is compliance related to corporate governance? Source: Frame of reference for integrated GRC; Racz, Weippl, Seufert, 2010 27
Key Questions to Ask about Compliance Is there a compliance function? Is it separate department/unit (centralized or decentralized)? Independence? What is the relationship between CCO, the Chair, CEO, CFO, CRO, and CIA? Is there a code of ethics? Please describe the company s compliance program or procedures including training of employees, auditing and monitoring systems, company hotline for reporting violations? Is there a Compliance Register? Are instances of non-compliance followed up on with corrective action? 28
Audit Committee Structure Charter or bylaws Co-ordination with and information links to full board Composition >= 3 members Independence Financial literacy and financial expertise Meetings At least quarterly Frequency of audit committee meetings is expected to vary according to the stage of development of oversight activities in the company Normal schedule of audit committee meetings that may be expanded when critical issues arise 29
Audit Committee Role and Responsibilities External audit Appoints the external auditor and key contact point Recommends the audit fee to the Board and approves any non-audit services provided by the external auditor Discusses with the external auditor, the nature and scope of the audit and reviews the auditors quality control mechanisms Internal audit Controls and risk management Monitors and reviews the activities of internal audit Ensures that the internal audit is adequately resourced and has sufficient standing within the company Maintains the independence of IA and provides necessary resources Considers management response to IA recommendations Ensure that a comprehensive internal controls framework in place Ensures the presence of a risk management policy document 30 Reporting and disclosure Reviews significant reporting issues and accounting policies Reviews company s semi-annual and annual financial statements Reviews formal announcements made to the shareholders Reviews relevant regulatory returns filed and disclosures made by the company Reviews the going concern assumption of the company Monitors and approves material related-party transactions
Expanding Role and Expertise of the Audit Committee In addition to financial expertise, what other in-depth experience or expertise currently resides on your AC? In what areas would you favor additional reporting/communication from AC to investors? 31 Source: KPMG ACI Global Audit Committee Survey, (2014)
CASE: Banco Navarra III: What is the Role of the Audit Committee? Read the case Pair or three-group analysis of the case Summarize the situation, from Carlos perspective: What should Carlos do? Table groups: Identify CG issues (2-3) Report to whole group & discuss 32
Key Messages The Board has responsibility for an adequate control environment Adequate internal controls and a well-functioning internal audit function are the Board s best friend in this regard 33
Thank you! 34